Setting Up Reverse Proxy on QNAP

1. The problem I’m having:

I’ve tried doing this so many different ways on different days, but I just can’t get it to work. And it’s especially frustrating since so many people say it’s so easy to do. So hopefully someone here can explain it to me like I’m 5.

I have a QNAP NAS that I’m trying to install Caddy on simply for the reverse-proxy.

I’ve tried installing it via Explore in Container Station, but I have no idea what to do for the Advanced Settings and it doesn’t seem to do anything as is.

I’ve tried installing it via Applications > Create in Container Station, but it says there’s something wrong with my YAML code when websites say the code is fine.

What I’ve done most recently is installed Caddy2 from App Center via the MyQNAP repo, but for some reason I wonder if it’s not as safe as the others.

I do think I might be close doing it this way and my guess is I need to edit Caddy2.sh in the Caddy2 folder and put a Caddyfile somewhere, but to what and where I don’t know. I see /etc/caddy/Caddyfile referenced a lot in documentation, but when I tried to make the dir caddy in etc I got “permission denied”. Is this etc dir not in the root dir, but somewhere else? Sorry, I’m still new to linux. Via the find command I see multiple etc folders.

I don’t see the Caddyfile’s path referenced at all in Caddy2.sh however. It should, right?

And after doing all that I now have a bunch of caddy folders and files way down in my Container folder (it looks like removals didn’t remove everything) that I can see from File Station, but they all seem to just be copies of the defaults.

The one thing I do think I understand is what to put in my Caddyfile. It’s simply:

something.myqnapcloud.com {
reverse_proxy localhost:8920
}

But even that I’m not sure. 8920 is the default port for Jellyfin.

I do know how to ssh, but I’m not great at it as I’m only just now learning linux. I can move around the folders and create and delete stuff, but that’s about it. I’ve read countless webpages and watched several videos on setting up caddy, but they either skip steps or are talking about some other way of setting it up.

Am I correct in understanding that once Caddy is setup that I don’t have to change anything in Jellyfin’s networking page? Like the checkbox enabling HTTPS or the path to the ssl cert? I’ve read the Caddy takes care of everything, but I wonder if the answer to that is, “well, not exactly”.

I also noticed there’s a reverse proxy in QNAP’s Control Panel > Network Access page, which appears to be even simpler than Caddy, but I’m not even sure what to enter for it and I don’t know if it’s a good enough substitute for Caddy or not.

I got everything else I wanted on the NAS set up fine so I’m not a total idiot. I’d just like to make it more secure. Thank you.

2. Error messages and/or full log output:

Permission denied

3. Caddy version:

When I tried via Create in Container Station I tried latest (2.8.4). I’m not sure what version it used when I searched from Explore in Container Station. When I installed it from MyQNAP repo via App Center it said 2.8.2.

4. How I installed and ran Caddy:

a. System environment:

First I tried via Explore in QNAP’s Container Station. Then I tried via Create in in QNAP’s Container Station. Then I tried via MyQNAP repo in QNAP’s App Center.

b. Command:

I haven’t successfully run any Caddy commands. I’m under the impression it’s not even necessary for what I’m trying to do. I did read the Caddy documentation and saw that it said to put caddy and curl in PATH, but I’m not even sure where PATH is on QNAP.

c. Service/unit/compose file:

services:
  caddy:
    image: caddy:2.8.4
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

something.myqnapcloud.com {
reverse_proxy localhost:8920
}

5. Links to relevant resources:

Oh man, I’ve read so many webpages on this topic now that I’m in a daze from it all.

I don’t know anything about QNAP. How exactly are you installing Caddy? Is it running as a Docker container?

Well if it is Docker, this is correct:

Where the Caddyfile is on the host machine doesn’t matter as long as you mount it to /etc/caddy/Caddyfile in your Docker container (if that is how you’re running it). But ./Caddyfile here means “the file is relative to the docker-compose.yml, sitting right next to it”.

If you’re running in Docker, localhost means “this same container”, so this wouldn’t work. You’d need to use the container name or service name of what you want to proxy to instead (e.g. something:8920 or whatever)

You mentioned Jellyfin, if that’s also running in Docker then it would probably be jellyfin:8096 (that’s the port Jellyfin uses by default).

Thanks. I appreciate you trying to make sense of the mess I’m in.

[quote=“francislavoie, post:2, topic:24592, full:true”]
I don’t know anything about QNAP. How exactly are you installing Caddy? Is it running as a Docker container?[/quote]

I think because I’ve tried 3 different ways that it might be confusing. The first 2 ways, via Container Station, are, I’m pretty sure, Docker. I think anything installed via Container Station is probably Docker. The last one, however, via App Center, I don’t think is. That’s also the one I posted the most info about, like about the Caddy2.sh file.

I guess since you don’t know QNAP you might not know this, but should it be easier to set up Caddy via a docker container or a repo app? I feel like I should pick one way and forget the others otherwise it’s too confusing.

[quote=“francislavoie, post:2, topic:24592, full:true”]

Well if it is Docker, this is correct:

[quote=“kq76, post:1, topic:24592”]

    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile

[/quote][/quote]

Okay, well that way I got the least far so (it wouldn’t even accept the code), so while I’m pretty sure that is docker, I think we should forget about it.

[quote=“francislavoie, post:2, topic:24592, full:true”]
Where the Caddyfile is on the host machine doesn’t matter as long as you mount it to /etc/caddy/Caddyfile in your Docker container (if that is how you’re running it). But ./Caddyfile here means “the file is relative to the docker-compose.yml, sitting right next to it”.[/quote]

Okay, that’s good to know. So by relative that means that wherever the caddyfile is that’s also where this etc folder should be? Again, I think I’m going to drop trying it this way, for now at least, but it’s good to understand better how these paths work.

Oh! That’s interesting. I thought localhost meant this computer. I suppose maybe it normally does, but not with docker containers.

I’m pretty sure Jellyfin is not in a docker container however. I installed it via a github repo via App Center.

8096 is the HTTP port JF uses, but I thought the whole idea of the reverse-proxy is to turn http requests into https requests, so shouldn’t I be using JF’s default HTTPS port of 8920 in the caddyfile?

I’m going to go ahead and post the code of the caddy2.sh file that is created via the, I think, non-Docker app as I think this might be the easiest way I’m going to get this working since Docker seems to be making it more difficult:

#!/bin/sh
CONF=/etc/config/qpkg.conf
QPKG_NAME="Caddy2"
QPKG_ROOT='/sbin/getcfg $QPKG_NAME Install_Path -f ${CONF}'
APACHE_ROOT='/sbin/getcfg SHARE_DEF defWeb -d Qweb -f /etc/config/def_share.info'
export QNAP_QPKG=$QPKG_NAME


export QPKG_ROOT
export QPKG_NAME
export APACHE_ROOT


export SHELL=/bin/sh
export LC_ALL=en_US.UTF-8
export USER=admin
export LANG=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8

ulimit -n 8192

export PIDF=/var/run/caddy.pid

case "$1" in
  start)
    ENABLED=$(/sbin/getcfg $QPKG_NAME Enable -u -d FALSE -f $CONF)
    if [ "$ENABLED" != "TRUE" ]; then
        echo "$QPKG_NAME is disabled."
        exit 1
    fi
/bin/ln -sf $QPKG_ROOT /opt/$QPKG_NAME
/bin/ln -sf $QPKG_ROOT/caddy /usr/bin/caddy


caddy -agree -port 20016 -root /home/Qhttpd -log $QPKG_ROOT/var/logs/caddy.log -pidfile /var/run/caddy.pid &

    ;;

  stop)

ID=$(more /var/run/caddy.pid)

        if [ -e $PIDF ]; then
            kill -9 $ID
            rm -f $PIDF
        fi


rm -rf /opt/$QPKG_NAME
rm -rf /usr/bin/caddy

    ;;

  restart)
    $0 stop
    $0 start
    ;;

  *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac

exit 0

Should I change anything about that? Like I’ve gotten the impression I should change the line near the center starting with “caddy” and say where the caddyfile will be.

If there’s somekind of “Caddy app” in QNAP, that’s certainly not something we officially support, so you’d need to get help from the author of that “app”.

If you’re using Docker, then that’s something we can support, because we ship an official Caddy Docker image. Our recommended instructions for using Caddy with Docker Compose are here: Keep Caddy Running — Caddy Documentation

You might need to get help from some QNAP community otherwise.

. means “current directory” and .. means “parent directory”, so ./Caddyfile means “the file called Caddyfile, adjacent to this file”.

Exactly – in Docker, the container acts like a “virtual computer” if you want to use those terms. localhost is rarely useful in Docker because typically you have on process/program per container.

Then you’d have to use the IP address of the machine it’s running on, or something like that.

No, Caddy terminates TLS (so HTTPS between your browser and Caddy) but then you reverse proxy over HTTP to the app. You don’t need HTTPS between Caddy and the app because the traffic is in your private network, the only way it would be a problem is if some attacker had access to your network already, in which case it would already be game-over. It’s more efficient this way anyway because making another HTTPS connection adds overhead (would slow things down).

Your other option is to just follow one of our official installation methods: Install — Caddy Documentation (and read the Keep Caddy Running page as well, for how to use it from there on). If none of those make sense for your setup, then you’ll need to get help from QNAP communities.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.